Last time I worked in a company with this policy I actually made it into an advantage.
Sure, having to change password every 3 months was annoying, but honestly I did not see advantage in rotating 2 or 3 passwords because since I would use the password many times a day, getting used to new password was easy enough—using “old new” passwords from 6-9 months ago would not be any easier: it would just mean that I have to remember some password for longer time.
I also realized that if I re-use the expired password elsewhere, I can actually cascade the passwords across my main systems: for example, when password expired at work, I would re-use it for personal e-mail, and re-use that old e-mail password for something less valuable, such as “random” forums.
That way I could keep steady flow of passwords through all my accounts, while at the any time I would always get the muscle memory for free: there would always just one “truly new” password – and it would be the most used one, hence the fastest one to learn.
Well, of course this assumes some level of security in the systems I used. If my work got hacked (or keylogged) and someone could keep stealing all the passwords for long enough they could use them for all my services :-D If they only got hashes and everyone else used salt, the damage would be limited, though.
Also, counter-productive measures such as “must contain all blah blah” even if it’s 15 chars long or worse, limiting password chars or length can make things more complicated. (I think that’s why I almost never changed my PayPal password – I suspect they still don’t allow spaces.)
Last time I worked in a company with this policy I actually made it into an advantage.
Sure, having to change password every 3 months was annoying, but honestly I did not see advantage in rotating 2 or 3 passwords because since I would use the password many times a day, getting used to new password was easy enough—using “old new” passwords from 6-9 months ago would not be any easier: it would just mean that I have to remember some password for longer time.
I also realized that if I re-use the expired password elsewhere, I can actually cascade the passwords across my main systems: for example, when password expired at work, I would re-use it for personal e-mail, and re-use that old e-mail password for something less valuable, such as “random” forums.
That way I could keep steady flow of passwords through all my accounts, while at the any time I would always get the muscle memory for free: there would always just one “truly new” password – and it would be the most used one, hence the fastest one to learn.
Well, of course this assumes some level of security in the systems I used. If my work got hacked (or keylogged) and someone could keep stealing all the passwords for long enough they could use them for all my services :-D If they only got hashes and everyone else used salt, the damage would be limited, though.
Also, counter-productive measures such as “must contain all blah blah” even if it’s 15 chars long or worse, limiting password chars or length can make things more complicated. (I think that’s why I almost never changed my PayPal password – I suspect they still don’t allow spaces.)